Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
FDICIA Reporting for Financial InstitutionsReporting Changes Under Part 363 and SAS 130
CONTENTS
02 I NTRO D U CTI O N
03 R EQ U I R E M E NTS BY TI E R
03 Management Assessment
03 Independent Auditors
04 FI LI N G D E AD LI N ES
05 I NTE R NAL CO NTRO L OVE R FI NAN C IAL R E P O RTI N G (I C FR)
05 ICFR Reporting Requirements Timeline
06 Five Components of an Internal Control System
07 Objectives for Auditors Under SAS 130
08 I M PLE M E NTATI O N
08 Challenges
09 An Effective Approach
10 Benefits of Outsourcing
The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including, without limitation, legal, accounting, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although this information may have been prepared by professionals, it should not be used as a substitute for professional services. If legal, accounting, investment, or other professional advice is required, the services of a professional should be sought.
01MOSS ADAMS FDICIA Reporting for Financial Institutions
MOSS ADAMS FDICIA Reporting for Financial Institutions
INTRODUCTIONA number of annual reporting and other requirements have been placed on insured depository institutions with $500 million or more in consolidated total assets since the Federal Deposit Insurance Corporation (FDIC) Improvement Act was signed into law in December 1991.
Effective December 15, 2016, Statement of Auditing Standards (SAS) No. 130, An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of the Financial Statements changed how annual reporting requirements under the Federal Deposit Insurance Corporation Improvement Act (FDICIA) Part 363 are applied.
Nonpublic institutions continue to be divided into three tiers based on consolidated total assets.
<$500 million $500 million–$1 billion >$1 billion
$500M $1B
Institutions over the $1 billion threshold are now subject to a much more rigorous audit, similar to many public institutions subject to SEC oversight.
The new audit requirements are rigorous and could put a strain on an institution’s internal resources and expertise. Compliance with these new requirements will require greater diligence by management in assessing their institution’s existing internal control framework and evaluating control system effectiveness.
02MOSS ADAMS FDICIA Reporting for Financial Institutions / Introduction
/ IntroductionMOSS ADAMS FDICIA Reporting for Financial Institutions
REQUIREMENTS BY TIERThe FDICIA requirements effectively create a four-tiered system with some key differences in annual audit and reporting requirements for institutions in the top two tiers.
REQUIREMENTS UNDER FDICIA PART 363$500 million–
$1 billion>$1 billion
Audited comparative annual financial statements Yes Yes
Management statement of responsibility over internal control over financial reporting (ICFR)
Yes Yes
Management assessment of the operating effectiveness of ICFR
No Yes
External integrated audit of ICFR by independent auditors
No Yes
MANAGEMENT STATEMENT AND AS SES SMENTInstitutions with total assets greater than $500 million must include a report by management on its responsibilities and conclusions for the following:
• Preparation of annual financial statements
• Establishment and maintenance of an adequate internal control structure over financial reporting
• Compliance with the designated safety and soundness laws and regulations related to insider loans and dividend restrictions, as well as a conclusion by management regarding compliance and disclosures of any noncompliance
Institutions with $1 billion or more in consolidated total assets must also include a statement on the effectiveness of the internal control structure over financial reporting from both management and an independent public accountant.
INDEPENDENT AUDITORSHistorically, use of an independent auditor to examine and report on management’s assertion about the effectiveness of ICFR was allowed as an attestation engagement under American Institute of CPA (AICPA) standards.
Now, independent auditors no longer have the option to examine and report on management’s assertion, due to the AICPA’s rescission of the attestation standard. In its place, the AICPA adopted a standard for an integrated audit of both the financial statements and ICFR, in accordance with SAS 130.
While SEC issuers are very familiar with an integrated audit due to the requirements of the Sarbanes-Oxley Act, this is the first time an integrated audit standard is available for nonpublic institutions and their auditors.
03MOSS ADAMS FDICIA Reporting for Financial Institutions / Requirements by Tier
/ Requirements by TierMOSS ADAMS FDICIA Reporting for Financial Institutions
FILING DEADLINESAn institution’s FDICIA annual report needs to be filed within 120 days after the end of the fiscal year unless one of the following applies:
• The institution is a public company or subsidiary of one.
• The institution is a subsidiary of a public holding company with consolidated total assets that make up 75% or more of the total consolidated assets of the public holding company as of the beginning of its fiscal year.
Institutions meeting one of these criteria need to file the report within 90 days after its fiscal year end.
If you’re unable to file within the allotted timeframe, a notification of late filing must be filed to the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor.
04MOSS ADAMS FDICIA Reporting for Financial Institutions / Filing Deadlines
/ Filing DeadlinesMOSS ADAMS FDICIA Reporting for Financial Institutions
INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR)Internal control is “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.”
The concept of internal control can be applied broadly to operational, compliance, and other areas of an organization’s operation. ICFR focuses on controls that prevent or detect errors in external financial reporting.
Federal law has required companies to establish and maintain ICFR since 1977, with a number of changes along the way.
ICFR REPORTING REQUIREMENTS TIMELINE
1977 FCPAFederal law began requiring public companies to establish and maintain a system of internal controls with the passage of the Foreign Corrupt Practices Act (FCPA). This act was intended to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with generally accepted accounting principles (GAAP).
1991 FDICIAThe passage of FDICIA introduced the ICFR concept to nonpublic depository institutions, and extended to both financial statements prepared in accordance with GAAP and quarterly financial reports prepared for regulators, commonly referred to as call reports.
1992 COSOThe Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a framework to assist companies in structuring and evaluating controls that address a broad range of risks, which was revised in 2013.
2002 SOXSection 404 of the Sarbanes-Oxley Act, commonly referred to as SOX, added the requirement that most public companies assess and publicly report on the effectiveness of their ICFR. The act also required many public companies to use an external independent auditor to audit the effectiveness of their ICFR, in accordance with standards and reporting requirements established by the Public Company Accounting Oversight Board (PCAOB).
2015 SAS 130Internal control reporting for nonpublic companies is now required to be an integrated audit of the financial statements and ICFR.
05MOSS ADAMS FDICIA Reporting for Financial Institutions / Internal Control Over Financial Reporting (ICFR)
/ Internal Control Over Financial Reporting (ICFR)MOSS ADAMS FDICIA Reporting for Financial Institutions
Under the COSO framework, there are five interrelated components to an effective internal control system, based on the way a company is managed on a day-to-day basis.
FIVE COMPONENTS OF AN INTERNAL CONTROL SYSTEMas applied to financial reporting
1 CONTROL ENVIRONMENT
How the company views internal control, including the ethical tone set by management and the effectiveness of the board’s audit committee in its high-level oversight of financial reporting.
2 RISK ASSESSMENT
Understanding the processes, data points, and judgements that feed into the company’s financial reports and their associated risks is essential. A process that is highly susceptible to fraud would be considered a high-risk area.
3 CONTROL ACTIVITIES
The way in which controls are actually designed and implemented within the company, so as to address the identified risks.
4 INFORMATION AND COMMUNICATION
How information within the company is gathered and shared, both internally among people responsible for financial reporting and externally with users of financial reports.
5 MONITORING
Tracking the way control efficiency is assessed by company management.
The concept of internal control can be applied broadly to operational, compliance, and other areas of an organization’s operation. ICFR focuses on controls that prevent or detect errors in external financial reporting.
06MOSS ADAMS FDICIA Reporting for Financial Institutions / Internal Control Over Financial Reporting (ICFR)
/ Internal Control Over Financial Reporting (ICFR)MOSS ADAMS FDICIA Reporting for Financial Institutions
OBJECTIVES FOR AUDITORS UNDER SAS 130The primary objective for auditors under SAS 130 is to assess whether material weaknesses in ICFR exist as of the date specified in management’s assessment. This change brings annual ICFR reporting requirements more in line with SOX Section 404 requirements for public companies than the previous examination standard used to comply with FDICIA.
Here’s how an auditor achieves this objective.
IDENTIFY UNDERSTAND ASSESS TEST EVALUATE
significant classes of transactions, account balances, disclosures, and their related assertions
likely sources of misstatement
the design effectiveness of controls
the operating effectiveness of controls
and communicate results
Closer alignment between the ICFR requirement under FDICIA and SOX, and overall sophistication of ICFR audits is motivating larger nonpublic institutions to be more rigorous in evaluating the design and structure of their internal control systems, and in assessing their effectiveness in preparation for an external integrated audit.
07MOSS ADAMS FDICIA Reporting for Financial Institutions / Internal Control Over Financial Reporting (ICFR)
/ Internal Control Over Financial Reporting (ICFR)MOSS ADAMS FDICIA Reporting for Financial Institutions
IMPLEMENTATIONRegardless of whether companies are meeting FDICIA or SOX Section 404 requirements, compliance requires considerable personnel time, extensive analysis and documentation, and a willingness to take on additional costs.
CHALLENGESSome common implementation challenges may include the following nine items.
ADOPTION
Framework and compliance procedures that are completely foreign to your financial institution, particularly the internal audit function
SUPPORT
Difficulty maintaining buy-in from senior management and the board due to unfamiliarity with appropriate internal control framework and process
PLANNING
Not allowing sufficient time to plan and commit necessary resources
EXPERTISE
Existing personnel lacking the skills needed to consider, document, or test ICFR, particularly around IT and other specialty areas
PURPOSE
Confusing operational, regulatory, and asset safeguarding controls with key internal controls over financial reporting
CULTURE
An institutional culture that doesn’t emphasize ownership of key internal controls beyond day-to-day responsibilities
RIGOR
Over or under documenting and testing of key internal controls
COORDINATION
Superficial communication with external auditors resulting in ineffective, duplicative, or last-minute testing
SUBSTANCE
Following a checklist approach rather than a thoughtful, risk-based mindset
08MOSS ADAMS FDICIA Reporting for Financial Institutions / Implementation
/ ImplementationMOSS ADAMS FDICIA Reporting for Financial Institutions
AN EFFECTIVE APPROACH
Planning and Risk Assessment
This phase sets the stage for further control evaluation, testing, and reporting. The initial steps include coordinating risk assessment and logistics between staff, internal auditors (either in-house or outsourced), and external independent auditors. Make sure procedures between internal audit and external independent auditors are agreed upon ahead of time to ensure effectiveness. IT systems have become an increasingly important element of ICFR and should also be addressed early in the process.
Documentation
Setting and adhering to a defined set of standards when documenting control system design and walkthrough procedures—including flowcharts and narrative outlines—can help encourage efficiency and facilitates a common understanding among all parties. Rigorous documentation is particularly important for controls that require the exercise of judgment, such as accounting estimates or management review controls.
Testing
While testing individual controls is fairly routine, it’s important to establish expectations and lines of communication between staff, internal auditors, and external auditors before testing begins. Understanding key factors such as sample sizes, testing protocols, timing of test procedures, and remediation processes is essential to the effective completion of a successful ICFR engagement. This especially includes procedures that address IT controls and ensuring appropriate specialist resources are coordinated among all parties.
Evaluation
It’s important to identify deficiencies, effectively communicate findings, identify and document mitigating controls that may exist, and conclude on the results of the ICFR assessment. Financial institutions and their external independent auditors are expected to reach similar conclusions on the effectiveness of ICFR. Following a similar framework for evaluating the results of the ICFR process will help avoid any communication gaps.
09MOSS ADAMS FDICIA Reporting for Financial Institutions / Implementation
/ ImplementationMOSS ADAMS FDICIA Reporting for Financial Institutions
Implementing ICFR assessment procedures and executing testing and reporting grows in complexity every year and is often outside of management’s day-to-day expertise. Many executives seek the assistance of third-party professionals to assure compliance and coordination with independent external auditors.
BENEFITS OF OUTSOURCING• An independent, open-minded view of the control systems and
processes that exist within the company
• In-depth understanding of the COSO control framework and the ability to coordinate organization-wide implementation
• Cost-effective due to third party industry knowledge and procedures and tools that have already been developed
• Efficient communication between management and external independent auditors
• Strong coordination and cooperation between auditors and third parties who understand the requirements and procedures they follow, resulting in less duplicative effort
WE’RE HERE TO HELPUnderstanding a financial institution’s ICFR requirements and coordinating them with the efforts of its independent external auditors is complex and important. To learn more, contact your Moss Adams professional.
mossadams.com
10MOSS ADAMS FDICIA Reporting for Financial Institutions / Implementation
/ ImplementationMOSS ADAMS FDICIA Reporting for Financial Institutions
About Moss AdamsWith more than 3,400 professionals across 25-plus locations in the West and beyond, Moss Adams provides the world’s most innovative companies with specialized accounting, consulting, and wealth management services to help them embrace emerging opportunity. Discover how Moss Adams is bringing more West to business.
Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.